Android family, today’s all about you! 1Password 6 for Android is here, and it’s available for immediate (and FREE) download from Google Play. Wait, come back! I have more to tell you. I’m so excited about the features in version 6, you’ve got to let me talk about some of them. =)

Material Design

An application’s interface—the way you interact with it—is one of the most important things. In 1Password 6, we’ve given our app a face lift. But Material Design means so much more than that. Material Design is the name of what Google describes as a “visual language” for application designers and developers. It’s not just about fonts and colours, it’s about various visual elements that help provide a more consistent experience for you.

You’ll find cleaner and more spacious layouts, a navigation drawer, toolbars, and umpteen other things, all focused on a simpler, clearer, more convenient user experience.

If your phone or tablet has access to the Google Play Store and is running Android OS 4.1 or newer, you’ve got everything you need to install 1Password 6.

Fingerprint Unlock

1Password 6 can be unlocked with your fingerprint, using the sensor on your phone! One of my friends recently got a Google Nexus 5X, which has a neat little circle on the back of the phone that reads her fingerprint. It’s so subtle, because it looks like she’s just picking up her phone in a natural way. It’s really cool to see how this natural motion quickly and securely unlocks 1Password.

Fingerprint Unlock works on devices that support this new Google technology and are running Android OS 6.0 Marshmallow.

1Password for Teams

Whether you are a team of 1 or 100, a family of 2 or 12, if you have information that you want to selectively share with others, 1Password for Teams is the safest and simplest way to do it.

If you’ve already set up your team, you’ll be happy to hear that 1Password 6 enables you to easily add your 1Password for Teams account using the built-in QR code reader. 1Password for Teams support is in beta, but we didn’t want to keep you waiting for this oft-requested feature!

You mentioned that it’s time?

I did, didn’t I? Thanks for reminding me. =) It’s time for a bit of chest pounding. Time to dig deep and step up our game. It’s time for 1Password to exceed your expectations. We propose to do that with frequent-er updates and finely applied layers of polish on features that you already use and love.

Now that the new features have had their time in the spotlight, let’s talk about some significant fixes and improvements that are in version 6.0:

Fingerprint Unlock isn’t just for the main app—it also works on 1Password Keyboard!

Wi-Fi Sync is greatly improved, from the internal (database optimization) to the external (the notifications 1Password shows you).

There’s a toolbar everywhere now. Consistency means not having bits ‘n’ bobs poof in and out of view.

Icons for categories and settings have been refreshed.

There’s a floating button. I mean, it has a purpose: you can use it to add new items. But I think the more important thing here is that it’s a button that floats, like a magical blue orb.

Wait, version 6?

We’ve been focusing a lot on your 1Password experience. We want it to be delightful. Wherever possible, we want to simplify and clarify. So let’s talk for just a moment about the version number.

If you’ve been with us a while, you’ll note that we’ve skipped ahead a little bit. One small way of simplifying things is to use the same version number everywhere. Therefore, 1Password for Android is now version 6, aligning it with Mac and iOS (c’mon, Windows, we’re all cheering for you!).

1Password 6 for Android is a free download for everyone. It offers a one-time, in-app purchase to unlock its Premium features. If you’ve previously unlocked the Premium features, the version 6 upgrade is absolutely free. Thank you for your support!

We’d love to hear what you think about the new version, and invite you to join us in our discussion forums or leave a comment below. We’re also on Twitter and Facebook, if you prefer to chat with us there.

Awesome, thanks a lot for the update. I’m very happy to see the new version, and I’m definitely looking forward to checking out the fingerprint unlocking!

I’d also like to second the question about opvault. Ever since I switched to the newer format (from agilekeychain), I’ve had to perform manual password list updates rather than automatic Dropbox updates. I’d love if I could just let it auto-sync like before.

I would have loved to have gotten OPVault support into this release but alas it wasn’t to be.

1Password 6 was a huge release already. We completely redesigned the UX and have built an entirely new back end to support 1Password for Teams. Doing both of these (plus Fingerprint Unlock and all the other improvements above) took an incredible amount of time and energy. We didn’t want to delay 6.0 any further to add additional features. Once the dust settles from this release we’ll re-evaluate things and see what step to take next.

With that said, I think it’s important to know that we have made some progress towards OPVault already. For example, the new Teams uses a similar encryption format as OPVault, so the knowledge we gained during implementation will help us down the road.

Time is a fickle thing. Some things that you initially think are easy sometimes take forever. And unfortunately the reverse doesn’t happen as often as I’d like :)

I like OPVault as much as the next guy (I participated in its design) so I love your enthusiasm for this feature. With that said, if you really want to use the latest and greatest data format available, I recommend that you use the new teams feature. With 1Password for Teams, we encrypt item URLs and Titles, and we’ve made things even more secure than OPVault. You can read the full details in our White Paper, but suffice it to say we are constantly evolving our data formats and we’ve taken OPVault to the next level. For example, AES-GCM provides authenticated encryption with far superior performance, and the Account Key strengthens your Master Password with 128 bits of entropy.

1Password for Teams has unmatched security, so if you want to have the best of the best, it’s the best way to go. I suppose it might feel a little weird to sign up a team of 1 person, but it works just as well with a team of 1 or 100 :)

Regarding one time password generation, do you mean the ability to display Two Factor Authentication tokens? If so, yes, absolutely. Here’s a screenshot of one of my items that contains a TOTP field for second factor authorization:

The screenshot I showed you was for a Login that I created on my Mac. At the moment you cannot add custom fields or sections on Android. You can view and edit the extra information that was added on other platforms, but you cannot add your own fields. This is something we plan on adding in the future.

In theory this should be possible, but it’s a lot more work than you may initially think. The code that we’re using is specific to OS X and will require a lot of time to move over to Android.

The other issue is iCloud doesn’t enable private sharing between users, so it only makes sense for primary vaults.

With that said, I’m not ruling out iCloud on Android as it would be a pretty cool feature to have. It doesn’t seem like the best investment of time, however, so I expect it will take a while to bubble up on the priority list.

In sum, if I could simply flip a switch, we’d have OPVault already. Things ended up taking a lot more time than expected. Instead of delaying 1Password 6 any further it would be better to ship without this feature. The new Material Design and Fingerprint Unlock were too cool to keep under wraps any longer.

Our Android team needs more time to catch up on their TODO list. Until then, I hope you enjoy the other features in this release :)

Thank you for the information, even if it’s disappointing. You are not even close to OPVault support on Android? You introduced it in December 2012, over four years ago. At the very least I expected you to focus on OPVault support after the controversy with Dale Myers blog post last year. That’s it for me, I’m not going to buy the premium features for the App or the next Upgrade for Desktop, instead I’m going to find an alternative.

I have to agree with this completely. I am astonished that OPVault support hasn’t made it to Android yet, and it took a controversy to highlight that it wasn’t even being used as default on other platforms.

Having been following this and requesting it for some time, I can only assume that AgileBits literally don’t care. I’ve seen huge new features and updates in the mean time but OPVault remains elusive. This gives the impression that flashy new features are seen as more important than the security aspect.

The fact that some staff are even defending and recommending some users switch back to the AgileKeychain format to use with Android is also astounding. I accept that they’re aware of the weaknesses and clearly don’t see them as significant, but users don’t necessarily understand the nuances of each format and don’t expect the weaknesses of the AgileKeychain format (metadata leaks).

This whole debacle has dented by trust in AgileBits, which is absolutely essential with a password management application. I will certainly be reviewing my position and looking at other options in the future.

It’s awesome to hear you so passionate about the OPVault data format. The worse thing in the world would be if nobody cared about it after we invested so much time and effort into it. I participated in its design so I love hearing your enthusiasm for this feature.

While OPVault itself has not made it into Android, in many ways we leapfrogged it with 1Password for Teams. In teams we encrypt item URLs and Titles and have several other enhancements that take the design principles within OPVault to the next level. For example, our authenticated encryption now uses AES-GCM for far superior performance, and the randomly generated Account Key greatly strengthens your Master Password. We cover the design of 1Password for Teams in full detail within our White Paper. We’re constantly evolving our data formats and the teams design is the next step in this process.

1Password for Teams has unmatched security, so if you want to have the best of the best, it’s the best way to go. It might feel a little weird to sign up a team of 1 person, but it works just fine with a team of 1. You can also create a family team or a company team and you can invite others to join you. That way you won’t be lonely :)

Thanks for providing some background and information. I’ll have a good read of the white paper and the missing sections once completed. One of the reasons I first choose 1Password & Knox was down to the openness of AgileBits, paticularly with regard to security decisions, and I’m glad to see this is still the case.

However, the news that 1Password for Teams uses a new vault format that is even more secure simply raises more questions for me. Mainly, when will it come to personal vaults? ;) Having only scanned the white paper at this point I’m also unsure if some of the design decisions made for Teams would be appropriate for a personal vault format (the introduction of public key cryptography, for example).

I’m also moderately disappointed you choose to go with RSA rather than ECC for the public key side of things, but I can see you’ve prepared to make that switch at some point.

That said, I’ll end on a quote of this rather ironic statement (given the slowness of the Cloud Keychain/OPVault rollout) from the white paper:

“Because we supply all of the clients, we can manage upgrades with- out enormous difficulty.”

Ha! Thank you for that amazingly ironic quote, Adam! I guess it depends on how you define “enormous difficulty” :)

It’s a good question about data formats and back porting new techniques to older data formats. In general we try to avoid changing data formats once they exist as it would cause problems with older clients. For example, we still have users using 1Password 2 on Mac and since we’re careful with any changes, they don’t run into any issues.

As for RSA vs. ECC, I’m going to leave that one for Goldberg to go into more detail. After reading his post on elliptical curves, I think he’s the best one to answer this.

I suspect the main reason is simply compatibility between all the various libraries and platforms, but I’ll leave the specifics for him. Hopefully it’s a fun answer that can be added directly to the White Paper :)

Hi Adam, you raise a couple of interesting and related points about ECC v RSA and about our ability to roll out new clients.

These are actually very closely related points. We do control our clients (unlike, say, a webserver having to deal with browsers that are not distributed by the provider of the webservice). But we do not control the cryptographic libraries natively available to us on all clients.

We try to

(a) Write as little cryptography as we can
(b) Have as few third party library dependencies as we can

As a consequence, we rely heavily on the cryptographic libraries offered directly by the platforms on which we run. And those definitely influence our choices.

If we decide we need a particular security property we will do what we have to get it. But for a choice like the one between RSA and ECC, there really isn’t a compelling security property of the latter. The real technical advantage is that ECC works with much smaller keys to get the same strength. A 256-bit ECC key offers 128-bit security (because of something I didn’t explain in the Ps and Qs article), while to get 128 bit security from RSA, a 3072-bit modulus is required.

When we offer 1Password for the Internet of Things and have to run on very small, low power devices, then ECC may be compelling. But this isn’t something I anticipate happening. So really the preference for ECC over RSA is “other things being equal, it would be better to use ECC”. But having to bring in more complex 3rd party libraries is not “other things being equal.”

So other than key size, efficiency, and some issues that are handled by a good library, there really are no significant security properties we need from ECC that RSA doesn’t offer. When libraries across platforms provide us with the routines we need, we can relatively easily move.

Our first implementation of filling used the Accessibility Service instead of relying on a custom keyboard, but we quickly found some insurmountable issues. There were simply too many limitations and compromises for it to be an all-round filling solution.

Our lead developer on Android wrote a comprehensive post in our discussions forums about why using the keyboard is the best approach for security and reliability:

We’re constantly looking for ways to make filling even easier. There’s some serious security concerns with how other apps do it and we want to make sure we can perform our filling in the most secure way possible.

Beautiful new design… but I am quite shocked to see a critical thing missed here. It takes you 4 steps (after unlocking) to get to the “search” icon, which is what I use 100% of the time to find the login I need. In the Mac app and browser extensions, search is rightly the very first available action when you open.

Agreed – search is a HUGE missing feature. 1PW6 gives the app a fresh coat of paint, but the core functionality remains just as limited as before.

That fancy new toolbar that’s always visible on every screen of 1PW6? Yeah, that toolbar would be a perfect place for a big ‘ole search field. (Not a search magnifier glass – give me a text box and voice search icon that I can immediately begin typing or speaking into – in Material Design terms, this is referred to as “Persistent Search.” See: https://www.google.com/design/spec/patterns/search.html#)

And while you’re at it, can we have search actually search through EVERYTHING and not just login titles? Just this weekend I couldn’t find a login because I searched based on its URL which was different than its title. The same search works beautifully in the Mac app because all fields are searched.

It would be awesome if the search field was more prevalent, and we have plans to do exactly that. In fact, we hope to have this within the next beta. It would be awesome if you joined our beta family and let us know what you think of this change when we roll it out (hopefully later this week, if not next). You can join our beta here:

Regarding your “Search Everywhere” comment, @Paul, you’re totally right. Including URLs in the search would be super awesome. In fact, I rely on this myself and pushing the Android team to do exactly this. The change will appear first in the betas, so please join us if you’d like it sooner than later.

Yep, same here. Thanks for considering this one. Also would you consider some “smart” suggestions. Ie. if the login is for https://www.lovetoride.net/ and the app is called com.challengeforchange.lovetoride – then it would be nice to see it suggested automatically, with me still confirming that’s the case…

Thanks for the feedback Greg! Your idea about “smart” suggestions is a smart suggestion! There is definitely an opportunity to provide more intelligent matching between login URLs and package names. For example, the current logic is effective at matching the official Twitter app with twitter.com, but would struggle to match other Twitter clients. We’ll see if we can improve on that in future updates.

While in the meantime I’ve moved back to iOS I appreciate this update, multi platform support is important (I had a discussion in the forum about syncronization a while ago) now give some love to the windows version and maybe port to linux if you can :)

That’s a great point, multi-platform support is super important. And doing things how they should be done on those platforms is equally important. I love how the team has made 1Password feel at home on Android. The new Material Design is lovely.

I think this is a trick question as there are many more “next steps”. That’s one of the cool things about having a larger team as we’re able to have a few balls in the air at once instead of just one :)

Linux is important and with teams we have an excellent web app that works great there. We have further to go but many Linux teams are using it already and it’s working quite well. If you haven’t signed up your team yet, be sure to check it out:

I would also very much like to see a persistent search bar (or at least one that isn’t buried beneath several user actions). Filtering the list during input would also be great. That’s how it works on my 1Password desktop app.

Thank you for your feedback on our release. We understand how often search is used and I also like to see search better accessible in 1Password for Android. Our plan is to improve search starting in our next beta update.

Awesome! It’s great to hear your enthusiasm, Josh. It fuels us to keep moving forward :)

As for Linux, we have an awesome web client in 1Password for Teams that I think you’ll find very handy. It’s a lot more than just a simple reader; it has support for editing, restoring previous versions, Time-based One-time Passwords, etc. It’s a full featured app and I’d love for you to try it out and let us know what you think.

I’ve recently purchased the premium version for Android and so far I’m finding it useful and generally a good experience to use. However, can UK users ever expect to see card and bank account fields etc. geared towards the UK market? For example, we have debit cards in the UK which is distinctly different from Credit Cards, also, bank account routing number is something which we don’t have in the UK, perhaps it’s analogous to our Sort Code? More generally, could a feature be added where fields can be added/removed/hidden so entries are more appropriate for how things work in a given country?

Thank you for the kind words about 1Password! I’m glad you’re finding it useful and enjoyable to use :)

You bring up a great point about bank accounts and how each country handles them slightly differently. One option would be for us to have a UK specific banking template, and we are considering doing that, but the more flexible option is to allow you to customize items to fit your needs.

On Mac and Windows we allow you to added custom fields and define your own sections, and we’d like to bring this feature over to Android in a future update. Custom fields added on other platforms are displayed just fine on Android, so one workaround available to you now is to customize things on your Mac or PC and then you can view them on Android.